From owner-svn-src-all@freebsd.org  Thu May 16 09:13:42 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD960158BE45;
 Thu, 16 May 2019 09:13:42 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 51F7D6B87D;
 Thu, 16 May 2019 09:13:42 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2BDFA1ECC4;
 Thu, 16 May 2019 09:13:42 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4G9DgmJ039842;
 Thu, 16 May 2019 09:13:42 GMT (envelope-from tuexen@FreeBSD.org)
Received: (from tuexen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4G9DgKF039841;
 Thu, 16 May 2019 09:13:42 GMT (envelope-from tuexen@FreeBSD.org)
Message-Id: <201905160913.x4G9DgKF039841@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tuexen set sender to
 tuexen@FreeBSD.org using -f
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Thu, 16 May 2019 09:13:42 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r347669 - stable/11/sys/netinet
X-SVN-Group: stable-11
X-SVN-Commit-Author: tuexen
X-SVN-Commit-Paths: stable/11/sys/netinet
X-SVN-Commit-Revision: 347669
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 51F7D6B87D
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.98 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 NEURAL_HAM_SHORT(-0.98)[-0.979,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 09:13:42 -0000

Author: tuexen
Date: Thu May 16 09:13:41 2019
New Revision: 347669
URL: https://svnweb.freebsd.org/changeset/base/347669

Log:
  MFC r344872:
  
  After removing an entry from the stream scheduler list, set the pointers
  to NULL, since we are checking for it in case the element gets inserted
  again.
  
  This issue was found by running syzkaller.

Modified:
  stable/11/sys/netinet/sctp_ss_functions.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/sctp_ss_functions.c
==============================================================================
--- stable/11/sys/netinet/sctp_ss_functions.c	Thu May 16 09:12:13 2019	(r347668)
+++ stable/11/sys/netinet/sctp_ss_functions.c	Thu May 16 09:13:41 2019	(r347669)
@@ -76,9 +76,10 @@ sctp_ss_default_clear(struct sctp_tcb *stcb, struct sc
 		SCTP_TCB_SEND_LOCK(stcb);
 	}
 	while (!TAILQ_EMPTY(&asoc->ss_data.out.wheel)) {
-		struct sctp_stream_out *strq = TAILQ_FIRST(&asoc->ss_data.out.wheel);
+		struct sctp_stream_out *strq;
 
-		TAILQ_REMOVE(&asoc->ss_data.out.wheel, TAILQ_FIRST(&asoc->ss_data.out.wheel), ss_params.rr.next_spoke);
+		strq = TAILQ_FIRST(&asoc->ss_data.out.wheel);
+		TAILQ_REMOVE(&asoc->ss_data.out.wheel, strq, ss_params.rr.next_spoke);
 		strq->ss_params.rr.next_spoke.tqe_next = NULL;
 		strq->ss_params.rr.next_spoke.tqe_prev = NULL;
 	}
@@ -791,12 +792,17 @@ static void
 sctp_ss_fcfs_clear(struct sctp_tcb *stcb, struct sctp_association *asoc,
     int clear_values, int holds_lock)
 {
+	struct sctp_stream_queue_pending *sp;
+
 	if (clear_values) {
 		if (holds_lock == 0) {
 			SCTP_TCB_SEND_LOCK(stcb);
 		}
 		while (!TAILQ_EMPTY(&asoc->ss_data.out.list)) {
-			TAILQ_REMOVE(&asoc->ss_data.out.list, TAILQ_FIRST(&asoc->ss_data.out.list), ss_next);
+			sp = TAILQ_FIRST(&asoc->ss_data.out.list);
+			TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next);
+			sp->ss_next.tqe_next = NULL;
+			sp->ss_next.tqe_prev = NULL;
 		}
 		if (holds_lock == 0) {
 			SCTP_TCB_SEND_UNLOCK(stcb);
@@ -859,6 +865,8 @@ sctp_ss_fcfs_remove(struct sctp_tcb *stcb, struct sctp
 	    ((sp->ss_next.tqe_next != NULL) ||
 	    (sp->ss_next.tqe_prev != NULL))) {
 		TAILQ_REMOVE(&asoc->ss_data.out.list, sp, ss_next);
+		sp->ss_next.tqe_next = NULL;
+		sp->ss_next.tqe_prev = NULL;
 	}
 	if (holds_lock == 0) {
 		SCTP_TCB_SEND_UNLOCK(stcb);